CVE-2026-28855: Apple iPadOS Info Disclosure Vulnerability

CVE-2026-28855 Overview

CVE-2026-28855 is a permissions vulnerability affecting Apple's iOS, iPadOS, and macOS operating systems. The flaw stems from improper access control (CWE-284) that allows a malicious application to bypass permission restrictions and access protected user data without proper authorization.

This vulnerability enables unauthorized data access through a network-based attack vector that requires no user interaction or special privileges. Apple has addressed this issue with additional permission restrictions in iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3.

Critical Impact

A malicious application can bypass permission controls to access sensitive protected user data on affected Apple devices, potentially exposing private information without user consent.

Affected Products

• Apple iOS (versions prior to 26.3)
• Apple iPadOS (versions prior to 26.3)
• Apple macOS Tahoe (versions prior to 26.3)

Discovery Timeline

• 2026-03-25 - CVE-2026-28855 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-28855

Vulnerability Analysis

This vulnerability falls under the category of Improper Access Control (CWE-284), where the affected Apple operating systems fail to properly enforce permission boundaries for application data access. The flaw allows applications to circumvent the standard permission model that protects sensitive user data.

The attack can be executed remotely over a network connection without requiring any user interaction or elevated privileges. The primary impact is unauthorized disclosure of confidential information, with no direct impact on system integrity or availability. This characteristic indicates a pure confidentiality breach scenario where attackers can silently exfiltrate protected user data.

Root Cause

The root cause is an insufficient permissions enforcement mechanism within the operating system's data protection framework. The permission checks that should prevent applications from accessing protected user data contained logical gaps that could be exploited by malicious applications. Apple's security model relies on strict sandboxing and permission grants, but this flaw created a pathway to bypass these protective measures.

Attack Vector

The vulnerability can be exploited through a malicious application installed on the target device. The attack proceeds as follows:

1. An attacker distributes a malicious application through various channels (enterprise distribution, compromised legitimate apps, or social engineering)
2. Once installed, the application exploits the permissions flaw to access protected user data
3. The malicious app can then exfiltrate sensitive information without triggering normal permission prompts
4. Since no user interaction is required for exploitation, the data access occurs silently in the background

The network attack vector indicates that the malicious application can communicate stolen data to remote servers, completing the data exfiltration chain.

Detection Methods for CVE-2026-28855

Indicators of Compromise

• Applications accessing protected data directories or APIs without corresponding permission grants in system logs
• Unusual network traffic patterns from applications that should not require network access for their stated functionality
• Anomalous file system access patterns targeting user data containers outside an application's sandbox
• System log entries showing permission bypass attempts or unexpected data access events

Detection Strategies

• Monitor application behavior for unauthorized access to protected data APIs and file paths
• Implement Mobile Device Management (MDM) solutions to enforce application allow-lists and detect unauthorized software
• Review system logs for permission-related anomalies and unexpected data access patterns
• Deploy endpoint detection solutions capable of identifying applications exhibiting data exfiltration behaviors

Monitoring Recommendations

• Enable comprehensive logging on managed Apple devices to capture application permission requests and data access events
• Configure security tools to alert on applications accessing sensitive data categories (contacts, photos, location, health data) without corresponding user-granted permissions
• Establish baseline application behavior profiles to detect deviations indicative of exploitation attempts

How to Mitigate CVE-2026-28855

Immediate Actions Required

• Update all affected devices to iOS 26.3, iPadOS 26.3, or macOS Tahoe 26.3 immediately
• Audit installed applications and remove any untrusted or unknown software
• Enable automatic updates to ensure timely installation of future security patches
• Review application permissions and revoke unnecessary access to sensitive data categories

Patch Information

Apple has released security updates that address this vulnerability with additional permission restrictions:

• iOS and iPadOS 26.3: See Apple Security Advisory 126346
• macOS Tahoe 26.3: See Apple Security Advisory 126348

Organizations should prioritize deployment of these updates across all managed Apple devices to eliminate the vulnerability.

Workarounds

• Restrict application installations to trusted sources only (App Store for consumer devices, managed distribution for enterprise)
• Implement Mobile Device Management (MDM) policies to control application permissions and enforce security configurations
• For enterprise environments, consider enabling app restrictions that prevent installation of applications from unknown developers
• Regularly audit device security settings and ensure privacy controls are appropriately configured pending patch deployment